package com.teamwings.util;

import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;

public class XssHelper {

	/**
	 * 预编译Pattern
	 */
	private static final Pattern SCRIPT_PATTERN_1 = Pattern.compile("<[\r\n| | ]*script[\r\n| | ]*>(.*?)</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE);
	private static final Pattern SCRIPT_PATTERN_2 = Pattern.compile("src[\r\n| | ]*=[\r\n| | ]*[\\\"|\\\'](.*?)[\\\"|\\\']", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	private static final Pattern SCRIPT_PATTERN_3 = Pattern.compile("</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE);
	private static final Pattern SCRIPT_PATTERN_4 = Pattern.compile("<[\r\n| | ]*script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	private static final Pattern SCRIPT_PATTERN_5 = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	private static final Pattern SCRIPT_PATTERN_6 = Pattern.compile("e-xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	private static final Pattern SCRIPT_PATTERN_7 = Pattern.compile("javascript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE);
	private static final Pattern SCRIPT_PATTERN_8 = Pattern.compile("vbscript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE);
	private static final Pattern SCRIPT_PATTERN_9 = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);

	private static final String[] XSS_STR = "'|and |exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+".split("\\|");

	/**
	 * xss 字符替换
	 * @param body /
	 * @return /
	 */
	public static String xssSqlLeach(String body) {
		if (body == null || body.isEmpty()) {
			return body;
		} else {
			body = stripXssAndSql(body);
		}
		StringBuilder sb = new StringBuilder(body.length());
		for (int i = 0; i < body.length(); i++) {
			char c = body.charAt(i);
			switch (c) {
				case '>':
					// 转义大于号
					sb.append(">");
					break;
				case '<':
					// 转义小于号
					sb.append("<");
					break;
				case '\'':
					// 转义单引号
					sb.append("'");
					break;
				case '&':
					// 转义&
					sb.append("&");
					break;
				default:
					String s1 = c + "";
					String s = s1.replaceAll(".*([';]+|(--)+).*", "");
					sb.append(s);
					break;
			}

		}
		return sb.toString();
	}

	/**
	 * 防止xss跨脚本攻击（替换，根据实际情况调整）
	 * @param value /
	 * @return /
	 */
	public static String stripXssAndSql(String value) {
		if (value != null) {
			value = SCRIPT_PATTERN_1.matcher(value).replaceAll("");
			// Avoid anything in a
			// src="http://www.yihaomen.com/article/java/..." type of
			// e-xpression
			value = SCRIPT_PATTERN_2.matcher(value).replaceAll("");
			// Remove any lonesome </script> tag
			value = SCRIPT_PATTERN_3.matcher(value).replaceAll("");
			// Remove any lonesome <script ...> tag
			value = SCRIPT_PATTERN_4.matcher(value).replaceAll("");
			// Avoid eval(...) expressions
			value = SCRIPT_PATTERN_5.matcher(value).replaceAll("");
			// Avoid e-xpression(...) expressions
			value = SCRIPT_PATTERN_6.matcher(value).replaceAll("");
			// Avoid javascript:... expressions
			value = SCRIPT_PATTERN_7.matcher(value).replaceAll("");
			// Avoid vbscript:... expressions
			value = SCRIPT_PATTERN_8.matcher(value).replaceAll("");
			// Avoid onload= expressions
			value = SCRIPT_PATTERN_9.matcher(value).replaceAll("");
		}
		return value;
	}

	/**
	 * 过滤参数
	 * @param value 参数
	 * @return -
	 */
	public static boolean checkXssAndSql(String value) {
		boolean flag;
		if (value != null) {
			flag = SCRIPT_PATTERN_1.matcher(value).find();
			if (flag) {
				return true;
			}
			flag = SCRIPT_PATTERN_2.matcher(value).find();
			if (flag) {
				return true;
			}
			// Remove any lonesome </script> tag
			flag = SCRIPT_PATTERN_3.matcher(value).find();
			if (flag) {
				return true;
			}
			// Remove any lonesome <script ...> tag
			flag = SCRIPT_PATTERN_4.matcher(value).find();
			if (flag) {
				return true;
			}
			// Avoid eval(...) expressions
			flag = SCRIPT_PATTERN_5.matcher(value).find();
			if (flag) {
				return true;
			}
			// Avoid e-xpression(...) expressions
			flag = SCRIPT_PATTERN_6.matcher(value).find();
			if (flag) {
				return true;
			}
			// Avoid javascript:... expressions
			flag = SCRIPT_PATTERN_7.matcher(value).find();
			if (flag) {
				return true;
			}
			// Avoid vbscript:... expressions
			flag = SCRIPT_PATTERN_8.matcher(value).find();
			if (flag) {
				return true;
			}
			// Avoid onload= expressions
			flag = SCRIPT_PATTERN_9.matcher(value).find();
			if (flag) {
				return true;
			}
			// sql注入过滤
			String v = value.toLowerCase();
			// String[] xssArr = XSS_STR;
			for (String s : XSS_STR) {
				if (v.contains(s)) {
					return true;
				}
			}
		}
		return false;
	}
}
